The Department of Parliamentary Services (DPS) has said it agrees with all the findings and recommendations made following a recent cyber security audit by the Australian National Audit Office (ANAO).
According to the ANAO, previous audits had found gaps in identity management, and the office felt an ongoing assessment was necessary given emerging risks.
What this audit found was more than a little alarming. The ANAO found that despite DPS managing more than 10,000 end-user devices used by almost 5,000 users, seven strategies out of the Essential Eight were “implemented below the standard required”.
“The Essential Eight cyber security strategies were not fully implemented in accordance with the requirements of the Protective Security Policy Framework,” the ANAO said in its findings, which were published on 11 June.
“The department was relying on compensating controls without adequate coverage of all systems and risk management of identified vulnerabilities.”
Despite the department establishing proper governance processes, the effectiveness of the DPS’s risk assessment, acceptance and communication was found to be lacking.
Similarly, the ANAO found an outdated policy framework and a limited ability to adequately “apply controls and governance for some of the users it supports”.
Part of the issue, the ANAO said, was the DPS’s varied user base, which includes parliamentarians, their staff, and other entities.
“The differing business and security requirements of these user groups were not reflected in the department’s IT environment. DPS experienced significant turnover in ICT staff in the previous 18 months,” the ANAO said.
“Some technology platforms supporting key business functions require risk-managed operation due to life cycle constraints, and inventories of key information, assets and risks were outdated.”
The ANAO recommended that the DPS review its governance and risk assessment processes and develop a risk-based program to uplift its security posture to achieve compliance with the government’s Protective Security Policy Framework.
The DPS has agreed to all recommendations.
“DPS is committed to working collaboratively with partners across the Parliament and government to strengthen cyber security practices through a program of continuous improvement,” Jaala Hinchcliffe, secretary of the DPS, said in a letter of response to the audit.
“This will further support strengthening of systems and processes in alignment with Australian government standards through embedding Information Security Manual controls and progressing actions to increase our maturity level with the Australian Signals Directorate’s Essential Eight Security Model.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.